Thanks for the report. On 1/12/13 the addon auctionator had a trojan (since we dont host that addon: http://www.curse.com/addons/wow/auctionator#c4438 and as you can see its now clean). This trojan required that you click on the folder auctionator.lnk which is highly unlikely any one would do. It looks like the author only removed the auctionator.lnk file but not the thumbs.db folder.

I have put it on hold until the offending files are removed and contacted the author. You need the auctionator.lnk file to execute the trojan which the author removed but just forgot the thumbs.db folder, so it is safe.

Kaelten said a hacker got in there and uploaded the infected file. Did that happen here as well?

A hacker got access to two accounts and used one of them to upload the virus laden file. I've tracked down about five ip addressed and blocked them all, and as of right now it appears to be the only file he infected.